Phiras\’s Blog

February 25, 10

XSS safe content in yii

Filed under: WEB-APP — Tags: , , — phiras @ 4:43 pm

In this post I am going to describe a solution to make your yii-based web application safe from illegal content injections.

I am going to make a use of the the yii wrapped htmlpurifier class inside a behavior. this behavior could be attached to any model with declaring the attributes we would like to make them XSS safe.

I have wrote the following behavior :

class CSafeContentBehavior extends CActiveRecordBehavior
   public $attributes =array();
   protected $purifier;

   function __construct(){
      $this->purifier = new CHtmlPurifier;

   public function beforeSave($event)
      foreach($this->attributes as $attribute){
         $this->getOwner()->{$attribute} = $this->purifier->purify($this->getOwner()->{$attribute});

place this class in a file in your application directory, for example : application/behaviors/CSafeContentBehavior.php
Now in your model you attach the behavior like this :

class Post extends CActiveRecord
   public function behaviors(){
      return array(
         'CSafeContentBehavor' => array(
         'class' => 'application.behaviors.CSafeContentBehavior',
         'attributes' => array('title', 'body'),

Here we go. Our Post model will now purify title and body columns before each save operation.


Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at

%d bloggers like this: